An AI-driven vulnerability, known as RoguePilot, was discovered in GitHub Codespaces, allowing attackers to covertly take control of a repository by embedding harmful instructions within a GitHub Issue. This critical flaw leverages the integration between GitHub Issues and the Copilot AI agent in Codespaces, enabling a full repository takeover without direct attacker interaction.
Details of the Vulnerability
The security issue, uncovered by Orca Research Pod, was responsibly reported to GitHub, leading to a patch by Microsoft. RoguePilot is categorized as a Passive Prompt Injection, where malicious commands are embedded in the content processed by a language model automatically. This attack activates as soon as a developer opens a Codespace from a compromised GitHub Issue, feeding the issue’s details to GitHub Copilot, thereby allowing untrusted content to influence the AI’s actions.
Execution of the Attack
Roi Nisimi from Orca Security demonstrated the attack chain by embedding hidden commands within a GitHub Issue using HTML comment tags, invisible to human viewers but readable by Copilot. Upon opening the Codespace, Copilot executed these instructions silently. The attack proceeds through a three-step exfiltration process, involving symbolic links and exploiting Copilot’s file access capabilities, to extract a GITHUB_TOKEN.
Finally, the attack creates a JSON file with a schema property linked to an attacker-controlled server. This setup facilitates the exfiltration of the GITHUB_TOKEN by adding it as a URL parameter, granting the attacker full repository access.
Implications and Recommendations
RoguePilot is identified as a novel AI-mediated supply chain attack, demonstrating how an AI agent’s capabilities can be manipulated against developers. The attack requires no special permissions or victim interaction, making it accessible to low-sophistication attackers.
Security experts highlight the risks of granting AI agents extensive permissions and suggest adopting fail-safe measures for LLM-integrated tools. Recommendations include treating repository content as untrusted, disabling passive agent prompting, enforcing stricter symlink controls, and limiting token scopes and lifespans.
This vulnerability underscores the need for heightened security practices in AI tooling environments, ensuring they can distinguish between legitimate and adversarial inputs.
